1/* 2 * AES-based functions 3 * 4 * - AES Key Wrap Algorithm (128-bit KEK) (RFC3394) 5 * - One-Key CBC MAC (OMAC1, i.e., CMAC) hash with AES-128 6 * - AES-128 CTR mode encryption 7 * - AES-128 EAX mode encryption/decryption 8 * - AES-128 CBC 9 * 10 * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi> 11 * 12 * This program is free software; you can redistribute it and/or modify 13 * it under the terms of the GNU General Public License version 2 as 14 * published by the Free Software Foundation. 15 * 16 * Alternatively, this software may be distributed under the terms of BSD 17 * license. 18 * 19 * See README and COPYING for more details. 20 */ 21 22#include "includes.h" 23 24#include "common.h" 25#include "aes_wrap.h" 26#include "crypto.h" 27 28#ifndef CONFIG_NO_AES_WRAP 29 30/** 31 * aes_wrap - Wrap keys with AES Key Wrap Algorithm (128-bit KEK) (RFC3394) 32 * @kek: 16-octet Key encryption key (KEK) 33 * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16 34 * bytes 35 * @plain: Plaintext key to be wrapped, n * 64 bits 36 * @cipher: Wrapped key, (n + 1) * 64 bits 37 * Returns: 0 on success, -1 on failure 38 */ 39int aes_wrap(const u8 *kek, int n, const u8 *plain, u8 *cipher) 40{ 41 u8 *a, *r, b[16]; 42 int i, j; 43 void *ctx; 44 45 a = cipher; 46 r = cipher + 8; 47 48 /* 1) Initialize variables. */ 49 os_memset(a, 0xa6, 8); 50 os_memcpy(r, plain, 8 * n); 51 52 ctx = aes_encrypt_init(kek, 16); 53 if (ctx == NULL) 54 return -1; 55 56 /* 2) Calculate intermediate values. 57 * For j = 0 to 5 58 * For i=1 to n 59 * B = AES(K, A | R[i]) 60 * A = MSB(64, B) ^ t where t = (n*j)+i 61 * R[i] = LSB(64, B) 62 */ 63 for (j = 0; j <= 5; j++) { 64 r = cipher + 8; 65 for (i = 1; i <= n; i++) { 66 os_memcpy(b, a, 8); 67 os_memcpy(b + 8, r, 8); 68 aes_encrypt(ctx, b, b); 69 os_memcpy(a, b, 8); 70 a[7] ^= n * j + i; 71 os_memcpy(r, b + 8, 8); 72 r += 8; 73 } 74 } 75 aes_encrypt_deinit(ctx); 76 77 /* 3) Output the results. 78 * 79 * These are already in @cipher due to the location of temporary 80 * variables. 81 */ 82 83 return 0; 84} 85 86#endif /* CONFIG_NO_AES_WRAP */ 87 88 89#ifndef CONFIG_NO_AES_UNWRAP 90 91/** 92 * aes_unwrap - Unwrap key with AES Key Wrap Algorithm (128-bit KEK) (RFC3394) 93 * @kek: Key encryption key (KEK) 94 * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16 95 * bytes 96 * @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits 97 * @plain: Plaintext key, n * 64 bits 98 * Returns: 0 on success, -1 on failure (e.g., integrity verification failed) 99 */ 100int aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain) 101{ 102 u8 a[8], *r, b[16]; 103 int i, j; 104 void *ctx; 105 106 /* 1) Initialize variables. */ 107 os_memcpy(a, cipher, 8); 108 r = plain; 109 os_memcpy(r, cipher + 8, 8 * n); 110 111 ctx = aes_decrypt_init(kek, 16); 112 if (ctx == NULL) 113 return -1; 114 115 /* 2) Compute intermediate values. 116 * For j = 5 to 0 117 * For i = n to 1 118 * B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i 119 * A = MSB(64, B) 120 * R[i] = LSB(64, B) 121 */ 122 for (j = 5; j >= 0; j--) { 123 r = plain + (n - 1) * 8; 124 for (i = n; i >= 1; i--) { 125 os_memcpy(b, a, 8); 126 b[7] ^= n * j + i; 127 128 os_memcpy(b + 8, r, 8); 129 aes_decrypt(ctx, b, b); 130 os_memcpy(a, b, 8); 131 os_memcpy(r, b + 8, 8); 132 r -= 8; 133 } 134 } 135 aes_decrypt_deinit(ctx); 136 137 /* 3) Output results. 138 * 139 * These are already in @plain due to the location of temporary 140 * variables. Just verify that the IV matches with the expected value. 141 */ 142 for (i = 0; i < 8; i++) { 143 if (a[i] != 0xa6) 144 return -1; 145 } 146 147 return 0; 148} 149 150#endif /* CONFIG_NO_AES_UNWRAP */ 151 152 153#define BLOCK_SIZE 16 154 155#ifndef CONFIG_NO_AES_OMAC1 156 157static void gf_mulx(u8 *pad) 158{ 159 int i, carry; 160 161 carry = pad[0] & 0x80; 162 for (i = 0; i < BLOCK_SIZE - 1; i++) 163 pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7); 164 pad[BLOCK_SIZE - 1] <<= 1; 165 if (carry) 166 pad[BLOCK_SIZE - 1] ^= 0x87; 167} 168 169 170/** 171 * omac1_aes_128_vector - One-Key CBC MAC (OMAC1) hash with AES-128 172 * @key: 128-bit key for the hash operation 173 * @num_elem: Number of elements in the data vector 174 * @addr: Pointers to the data areas 175 * @len: Lengths of the data blocks 176 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes) 177 * Returns: 0 on success, -1 on failure 178 * 179 * This is a mode for using block cipher (AES in this case) for authentication. 180 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication 181 * (SP) 800-38B. 182 */ 183int omac1_aes_128_vector(const u8 *key, size_t num_elem, 184 const u8 *addr[], const size_t *len, u8 *mac) 185{ 186 void *ctx; 187 u8 cbc[BLOCK_SIZE], pad[BLOCK_SIZE]; 188 const u8 *pos, *end; 189 size_t i, e, left, total_len; 190 191 ctx = aes_encrypt_init(key, 16); 192 if (ctx == NULL) 193 return -1; 194 os_memset(cbc, 0, BLOCK_SIZE); 195 196 total_len = 0; 197 for (e = 0; e < num_elem; e++) 198 total_len += len[e]; 199 left = total_len; 200 201 e = 0; 202 pos = addr[0]; 203 end = pos + len[0]; 204 205 while (left >= BLOCK_SIZE) { 206 for (i = 0; i < BLOCK_SIZE; i++) { 207 cbc[i] ^= *pos++; 208 if (pos >= end) { 209 e++; 210 pos = addr[e]; 211 end = pos + len[e]; 212 } 213 } 214 if (left > BLOCK_SIZE) 215 aes_encrypt(ctx, cbc, cbc); 216 left -= BLOCK_SIZE; 217 } 218 219 os_memset(pad, 0, BLOCK_SIZE); 220 aes_encrypt(ctx, pad, pad); 221 gf_mulx(pad); 222 223 if (left || total_len == 0) { 224 for (i = 0; i < left; i++) { 225 cbc[i] ^= *pos++; 226 if (pos >= end) { 227 e++; 228 pos = addr[e]; 229 end = pos + len[e]; 230 } 231 } 232 cbc[left] ^= 0x80; 233 gf_mulx(pad); 234 } 235 236 for (i = 0; i < BLOCK_SIZE; i++) 237 pad[i] ^= cbc[i]; 238 aes_encrypt(ctx, pad, mac); 239 aes_encrypt_deinit(ctx); 240 return 0; 241} 242 243 244/** 245 * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC) 246 * @key: 128-bit key for the hash operation 247 * @data: Data buffer for which a MAC is determined 248 * @data_len: Length of data buffer in bytes 249 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes) 250 * Returns: 0 on success, -1 on failure 251 * 252 * This is a mode for using block cipher (AES in this case) for authentication. 253 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication 254 * (SP) 800-38B. 255 */ 256int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac) 257{ 258 return omac1_aes_128_vector(key, 1, &data, &data_len, mac); 259} 260 261#endif /* CONFIG_NO_AES_OMAC1 */ 262 263 264#ifndef CONFIG_NO_AES_ENCRYPT_BLOCK 265/** 266 * aes_128_encrypt_block - Perform one AES 128-bit block operation 267 * @key: Key for AES 268 * @in: Input data (16 bytes) 269 * @out: Output of the AES block operation (16 bytes) 270 * Returns: 0 on success, -1 on failure 271 */ 272int aes_128_encrypt_block(const u8 *key, const u8 *in, u8 *out) 273{ 274 void *ctx; 275 ctx = aes_encrypt_init(key, 16); 276 if (ctx == NULL) 277 return -1; 278 aes_encrypt(ctx, in, out); 279 aes_encrypt_deinit(ctx); 280 return 0; 281} 282#endif /* CONFIG_NO_AES_ENCRYPT_BLOCK */ 283 284 285#ifndef CONFIG_NO_AES_CTR 286 287/** 288 * aes_128_ctr_encrypt - AES-128 CTR mode encryption 289 * @key: Key for encryption (16 bytes) 290 * @nonce: Nonce for counter mode (16 bytes) 291 * @data: Data to encrypt in-place 292 * @data_len: Length of data in bytes 293 * Returns: 0 on success, -1 on failure 294 */ 295int aes_128_ctr_encrypt(const u8 *key, const u8 *nonce, 296 u8 *data, size_t data_len) 297{ 298 void *ctx; 299 size_t j, len, left = data_len; 300 int i; 301 u8 *pos = data; 302 u8 counter[BLOCK_SIZE], buf[BLOCK_SIZE]; 303 304 ctx = aes_encrypt_init(key, 16); 305 if (ctx == NULL) 306 return -1; 307 os_memcpy(counter, nonce, BLOCK_SIZE); 308 309 while (left > 0) { 310 aes_encrypt(ctx, counter, buf); 311 312 len = (left < BLOCK_SIZE) ? left : BLOCK_SIZE; 313 for (j = 0; j < len; j++) 314 pos[j] ^= buf[j]; 315 pos += len; 316 left -= len; 317 318 for (i = BLOCK_SIZE - 1; i >= 0; i--) { 319 counter[i]++; 320 if (counter[i]) 321 break; 322 } 323 } 324 aes_encrypt_deinit(ctx); 325 return 0; 326} 327 328#endif /* CONFIG_NO_AES_CTR */ 329 330 331#ifndef CONFIG_NO_AES_EAX 332 333/** 334 * aes_128_eax_encrypt - AES-128 EAX mode encryption 335 * @key: Key for encryption (16 bytes) 336 * @nonce: Nonce for counter mode 337 * @nonce_len: Nonce length in bytes 338 * @hdr: Header data to be authenticity protected 339 * @hdr_len: Length of the header data bytes 340 * @data: Data to encrypt in-place 341 * @data_len: Length of data in bytes 342 * @tag: 16-byte tag value 343 * Returns: 0 on success, -1 on failure 344 */ 345int aes_128_eax_encrypt(const u8 *key, const u8 *nonce, size_t nonce_len, 346 const u8 *hdr, size_t hdr_len, 347 u8 *data, size_t data_len, u8 *tag) 348{ 349 u8 *buf; 350 size_t buf_len; 351 u8 nonce_mac[BLOCK_SIZE], hdr_mac[BLOCK_SIZE], data_mac[BLOCK_SIZE]; 352 int i, ret = -1; 353 354 if (nonce_len > data_len) 355 buf_len = nonce_len; 356 else 357 buf_len = data_len; 358 if (hdr_len > buf_len) 359 buf_len = hdr_len; 360 buf_len += 16; 361 362 buf = os_malloc(buf_len); 363 if (buf == NULL) 364 return -1; 365 366 os_memset(buf, 0, 15); 367 368 buf[15] = 0; 369 os_memcpy(buf + 16, nonce, nonce_len); 370 if (omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac)) 371 goto fail; 372 373 buf[15] = 1; 374 os_memcpy(buf + 16, hdr, hdr_len); 375 if (omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac)) 376 goto fail; 377 378 if (aes_128_ctr_encrypt(key, nonce_mac, data, data_len)) 379 goto fail; 380 buf[15] = 2; 381 os_memcpy(buf + 16, data, data_len); 382 if (omac1_aes_128(key, buf, 16 + data_len, data_mac)) 383 goto fail; 384 385 for (i = 0; i < BLOCK_SIZE; i++) 386 tag[i] = nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i]; 387 388 ret = 0; 389fail: 390 os_free(buf); 391 392 return ret; 393} 394 395 396/** 397 * aes_128_eax_decrypt - AES-128 EAX mode decryption 398 * @key: Key for decryption (16 bytes) 399 * @nonce: Nonce for counter mode 400 * @nonce_len: Nonce length in bytes 401 * @hdr: Header data to be authenticity protected 402 * @hdr_len: Length of the header data bytes 403 * @data: Data to encrypt in-place 404 * @data_len: Length of data in bytes 405 * @tag: 16-byte tag value 406 * Returns: 0 on success, -1 on failure, -2 if tag does not match 407 */ 408int aes_128_eax_decrypt(const u8 *key, const u8 *nonce, size_t nonce_len, 409 const u8 *hdr, size_t hdr_len, 410 u8 *data, size_t data_len, const u8 *tag) 411{ 412 u8 *buf; 413 size_t buf_len; 414 u8 nonce_mac[BLOCK_SIZE], hdr_mac[BLOCK_SIZE], data_mac[BLOCK_SIZE]; 415 int i; 416 417 if (nonce_len > data_len) 418 buf_len = nonce_len; 419 else 420 buf_len = data_len; 421 if (hdr_len > buf_len) 422 buf_len = hdr_len; 423 buf_len += 16; 424 425 buf = os_malloc(buf_len); 426 if (buf == NULL) 427 return -1; 428 429 os_memset(buf, 0, 15); 430 431 buf[15] = 0; 432 os_memcpy(buf + 16, nonce, nonce_len); 433 if (omac1_aes_128(key, buf, 16 + nonce_len, nonce_mac)) { 434 os_free(buf); 435 return -1; 436 } 437 438 buf[15] = 1; 439 os_memcpy(buf + 16, hdr, hdr_len); 440 if (omac1_aes_128(key, buf, 16 + hdr_len, hdr_mac)) { 441 os_free(buf); 442 return -1; 443 } 444 445 buf[15] = 2; 446 os_memcpy(buf + 16, data, data_len); 447 if (omac1_aes_128(key, buf, 16 + data_len, data_mac)) { 448 os_free(buf); 449 return -1; 450 } 451 452 os_free(buf); 453 454 for (i = 0; i < BLOCK_SIZE; i++) { 455 if (tag[i] != (nonce_mac[i] ^ data_mac[i] ^ hdr_mac[i])) 456 return -2; 457 } 458 459 return aes_128_ctr_encrypt(key, nonce_mac, data, data_len); 460} 461 462#endif /* CONFIG_NO_AES_EAX */ 463 464 465#ifndef CONFIG_NO_AES_CBC 466 467/** 468 * aes_128_cbc_encrypt - AES-128 CBC encryption 469 * @key: Encryption key 470 * @iv: Encryption IV for CBC mode (16 bytes) 471 * @data: Data to encrypt in-place 472 * @data_len: Length of data in bytes (must be divisible by 16) 473 * Returns: 0 on success, -1 on failure 474 */ 475int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) 476{ 477 void *ctx; 478 u8 cbc[BLOCK_SIZE]; 479 u8 *pos = data; 480 int i, j, blocks; 481 482 ctx = aes_encrypt_init(key, 16); 483 if (ctx == NULL) 484 return -1; 485 os_memcpy(cbc, iv, BLOCK_SIZE); 486 487 blocks = data_len / BLOCK_SIZE; 488 for (i = 0; i < blocks; i++) { 489 for (j = 0; j < BLOCK_SIZE; j++) 490 cbc[j] ^= pos[j]; 491 aes_encrypt(ctx, cbc, cbc); 492 os_memcpy(pos, cbc, BLOCK_SIZE); 493 pos += BLOCK_SIZE; 494 } 495 aes_encrypt_deinit(ctx); 496 return 0; 497} 498 499 500/** 501 * aes_128_cbc_decrypt - AES-128 CBC decryption 502 * @key: Decryption key 503 * @iv: Decryption IV for CBC mode (16 bytes) 504 * @data: Data to decrypt in-place 505 * @data_len: Length of data in bytes (must be divisible by 16) 506 * Returns: 0 on success, -1 on failure 507 */ 508int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) 509{ 510 void *ctx; 511 u8 cbc[BLOCK_SIZE], tmp[BLOCK_SIZE]; 512 u8 *pos = data; 513 int i, j, blocks; 514 515 ctx = aes_decrypt_init(key, 16); 516 if (ctx == NULL) 517 return -1; 518 os_memcpy(cbc, iv, BLOCK_SIZE); 519 520 blocks = data_len / BLOCK_SIZE; 521 for (i = 0; i < blocks; i++) { 522 os_memcpy(tmp, pos, BLOCK_SIZE); 523 aes_decrypt(ctx, pos, pos); 524 for (j = 0; j < BLOCK_SIZE; j++) 525 pos[j] ^= cbc[j]; 526 os_memcpy(cbc, tmp, BLOCK_SIZE); 527 pos += BLOCK_SIZE; 528 } 529 aes_decrypt_deinit(ctx); 530 return 0; 531} 532 533#endif /* CONFIG_NO_AES_CBC */ 534